wip: integrate certmanager to rpxy-bin along with existing old rustls

rpxy-certs/Cargo.toml

@@ -22,6 +22,7 @@ thiserror = { version = "1.0.61" }
 hot_reload = { version = "0.1.5" }
 async-trait = { version = "0.1.80" }
 rustls = { version = "0.23.8", default-features = false, features = [
+  "std",
   "aws_lc_rs",
 ] }
 rustls-pemfile = { version = "2.1.2" }
@@ -33,9 +34,6 @@ x509-parser = { version = "0.16.0" }
 
 [dev-dependencies]
 tokio = { version = "1.37.0", default-features = false, features = [
-  # "net",
   "rt-multi-thread",
-  # "time",
-  # "sync",
   "macros",
 ] }

rpxy-certs/src/error.rs

@@ -18,4 +18,10 @@ pub enum RpxyCertError {
   /// Error when converting server name bytes to string
   #[error("Failed to convert server name bytes to string: {0}")]
   ServerNameBytesToString(#[from] std::string::FromUtf8Error),
+  /// Rustls error
+  #[error("Rustls error: {0}")]
+  RustlsError(#[from] rustls::Error),
+  /// Rustls CryptoProvider error
+  #[error("Rustls No default CryptoProvider error")]
+  NoDefaultCryptoProvider,
 }

rpxy-certs/src/lib.rs

@@ -9,18 +9,17 @@ mod log {
   pub(super) use tracing::{debug, error, info, warn};
 }
 
-use crate::{
-  error::*,
-  reloader_service::{CryptoReloader, DynCryptoSource},
-};
+use crate::{error::*, log::*, reloader_service::DynCryptoSource};
 use hot_reload::{ReloaderReceiver, ReloaderService};
 use rustc_hash::FxHashMap as HashMap;
+use rustls::crypto::{aws_lc_rs, CryptoProvider};
 use std::sync::Arc;
 
 /* ------------------------------------------------ */
 pub use crate::{
   certs::SingleServerCertsKeys,
   crypto_source::{CryptoFileSource, CryptoFileSourceBuilder, CryptoFileSourceBuilderError, CryptoSource},
+  reloader_service::CryptoReloader,
   server_crypto::{ServerCrypto, ServerCryptoBase},
 };
 
@@ -44,6 +43,10 @@ pub async fn build_cert_reloader<T>(
 where
   T: CryptoSource<Error = RpxyCertError> + Send + Sync + Clone + 'static,
 {
+  info!("Building certificate reloader service");
+  // Install aws_lc_rs as default crypto provider for rustls
+  let _ = CryptoProvider::install_default(aws_lc_rs::default_provider());
+
   let source = crypto_source_map
     .iter()
     .map(|(k, v)| {

rpxy-certs/src/server_crypto.rs

@@ -1,6 +1,7 @@
 use crate::{certs::SingleServerCertsKeys, error::*, log::*};
 use rustc_hash::FxHashMap as HashMap;
 use rustls::{
+  crypto::CryptoProvider,
   server::{ResolvesServerCertUsingSni, WebPkiClientVerifier},
   RootCertStore, ServerConfig,
 };
@@ -40,7 +41,6 @@ impl TryInto<Arc<ServerCrypto>> for &ServerCryptoBase {
   fn try_into(self) -> Result<Arc<ServerCrypto>, Self::Error> {
     let aggregated = self.build_aggrated_server_crypto()?;
     let individual = self.build_individual_server_crypto_map()?;
-
     Ok(Arc::new(ServerCrypto {
       aggregated_config_no_client_auth: Arc::new(aggregated),
       individual_config_map: Arc::new(individual),
@@ -53,6 +53,9 @@ impl ServerCryptoBase {
   fn build_individual_server_crypto_map(&self) -> Result<ServerNameCryptoMap, RpxyCertError> {
     let mut server_crypto_map: ServerNameCryptoMap = HashMap::default();
 
+    // AWS LC provider by default
+    let provider = CryptoProvider::get_default().ok_or(RpxyCertError::NoDefaultCryptoProvider)?;
+
     for (server_name_bytes, certs_keys) in self.inner.iter() {
       let server_name = server_name_bytes_to_string(server_name_bytes)?;
 
@@ -69,9 +72,11 @@ impl ServerCryptoBase {
 
       // With no client authentication case
       if !certs_keys.is_mutual_tls() {
-        let mut server_crypto_local = ServerConfig::builder()
+        let mut server_crypto_local = ServerConfig::builder_with_provider(provider.clone())
+          .with_safe_default_protocol_versions()?
           .with_no_client_auth()
           .with_cert_resolver(Arc::new(resolver_local));
+
         #[cfg(feature = "http3")]
         {
           server_crypto_local.alpn_protocols = vec![b"h3".to_vec(), b"h2".to_vec(), b"http/1.1".to_vec()];
@@ -93,11 +98,14 @@ impl ServerCryptoBase {
       let trust_anchors_without_skid = trust_anchors.values().map(|ta| ta.to_owned());
       client_ca_roots_local.extend(trust_anchors_without_skid);
 
-      let Ok(client_cert_verifier) = WebPkiClientVerifier::builder(Arc::new(client_ca_roots_local)).build() else {
+      let Ok(client_cert_verifier) =
+        WebPkiClientVerifier::builder_with_provider(Arc::new(client_ca_roots_local), provider.clone()).build()
+      else {
         warn!("Failed to build client CA certificate verifier for {server_name}");
         continue;
       };
-      let mut server_crypto_local = ServerConfig::builder()
+      let mut server_crypto_local = ServerConfig::builder_with_provider(provider.clone())
+        .with_safe_default_protocol_versions()?
         .with_client_cert_verifier(client_cert_verifier)
         .with_cert_resolver(Arc::new(resolver_local));
       server_crypto_local.alpn_protocols = vec![b"h2".to_vec(), b"http/1.1".to_vec()];
@@ -112,6 +120,9 @@ impl ServerCryptoBase {
   fn build_aggrated_server_crypto(&self) -> Result<ServerConfig, RpxyCertError> {
     let mut resolver_global = ResolvesServerCertUsingSni::new();
 
+    // AWS LC provider by default
+    let provider = CryptoProvider::get_default().ok_or(RpxyCertError::NoDefaultCryptoProvider)?;
+
     for (server_name_bytes, certs_keys) in self.inner.iter() {
       let server_name = server_name_bytes_to_string(server_name_bytes)?;
 
@@ -129,7 +140,8 @@ impl ServerCryptoBase {
       }
     }
 
-    let mut server_crypto_global = ServerConfig::builder()
+    let mut server_crypto_global = ServerConfig::builder_with_provider(provider.clone())
+      .with_safe_default_protocol_versions()?
       .with_no_client_auth()
       .with_cert_resolver(Arc::new(resolver_global));
 
@@ -145,3 +157,48 @@ impl ServerCryptoBase {
     Ok(server_crypto_global)
   }
 }
+
+/* ------------------------------------------------ */
+#[cfg(test)]
+mod tests {
+  use super::*;
+  use crate::{CryptoFileSourceBuilder, CryptoSource};
+  use std::convert::TryInto;
+
+  async fn read_file_source() -> SingleServerCertsKeys {
+    let tls_cert_path = "../example-certs/server.crt";
+    let tls_cert_key_path = "../example-certs/server.key";
+    let client_ca_cert_path = Some("../example-certs/client.ca.crt");
+    let crypto_file_source = CryptoFileSourceBuilder::default()
+      .tls_cert_key_path(tls_cert_key_path)
+      .tls_cert_path(tls_cert_path)
+      .client_ca_cert_path(client_ca_cert_path)
+      .build();
+    crypto_file_source.unwrap().read().await.unwrap()
+  }
+
+  #[tokio::test]
+  async fn test_server_crypto_base_try_into() {
+    let mut server_crypto_base = ServerCryptoBase::default();
+
+    let single_certs_keys = read_file_source().await;
+    server_crypto_base.inner.insert(b"localhost".to_vec(), single_certs_keys);
+    let server_crypto: Arc<ServerCrypto> = (&server_crypto_base).try_into().unwrap();
+    assert_eq!(server_crypto.individual_config_map.len(), 1);
+
+    #[cfg(feature = "http3")]
+    {
+      assert_eq!(
+        server_crypto.aggregated_config_no_client_auth.alpn_protocols,
+        vec![b"h3".to_vec(), b"h2".to_vec(), b"http/1.1".to_vec()]
+      );
+    }
+    #[cfg(not(feature = "http3"))]
+    {
+      assert_eq!(
+        server_crypto.aggregated_config_no_client_auth.alpn_protocols,
+        vec![b"h2".to_vec(), b"http/1.1".to_vec()]
+      );
+    }
+  }
+}